[netsa-tools-discuss] 'rwfileinfo invocation failed' with iSilk and recent silk tools

Steve Kersley steve.kersley at keble.ox.ac.uk
Thu Oct 13 06:16:11 EDT 2016 

Hi Mark,
Thanks for the very prompt fix and assurance that it was not some oversight on my part!

There didn't seem to be a patch attached to your email however, but thanks to your explanation of the cause I was able to quickly find where the title needed setting in your stringmap table, and now it works again.

Thanks again,
Steve.

-----Original Message-----
From: Mark Thomas [mailto:mthomas at cert.org] 
Sent: 12 October 2016 18:49
To: Steve Kersley <steve.kersley at keble.ox.ac.uk>
Cc: netsa-tools-discuss at cert.org
Subject: Re: [netsa-tools-discuss] 'rwfileinfo invocation failed' with iSilk and recent silk tools

Steve-

Thank you for bringing this to my attention.

A patch file for rwfileinfo's source code is attached.  To attach the patch, save it to a temporary location, such as /tmp/rwfileinfo.c.patch, change directory into top of the
silk-3.13.0 source tree, and run

  patch -p1 < /tmp/rwfileinfo.c.patch

Then re-build and re-install the SiLK tools.


Explanation:

When adding the --help-fields switch to rwfileinfo in SiLK 3.12.2, I unintentionally changed the title of the compression field from:

  compression(id)     lzo1x(2)

to

  compression         lzo1x(2)

The missing "(id)" is causing iSiLK to reject rwfileinfo's output.

The attached patch restores the old title.  The patch applies cleanly to both 3.12.2 and 3.13.0.

This fix will be included in the next SiLK release, but there is no firm date for when that will occur.

Thanks again.

-Mark


-----Original Message-----
From: Steve Kersley <steve.kersley at keble.ox.ac.uk>
Date: Wed, 12 Oct 2016 15:54:08 +0000
To: "netsa-tools-discuss at cert.org" <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] 'rwfileinfo invocation failed' with iSilk and
	recent silk tools

Hello all,
I've been using the silk tools for a while to capture netflow data and only occasionally need to query it which we generally do with iSilk.

It had been working fine until yesterday, using iSilk 0.62 and silk 3.11.0.1.  However, since upgrading silk to both 3.12.2 and 3.13.0, iSilk is unable to run a query.  I create a new problem set, use the query builder but on running the query, after it finishes running rwfilter it pops up an error: 'rwfileinfo invocation failed'
'Unexpected output', and fails to save the query.

The files it created are still present in the remote directory.  If I look in the command log and run the commands directly on the server, they all work with no errors, including rwfileinfo.  I've compared the output of rwfileinfo from the 3.11.0.1 version of silk to that from the later versions and can see no difference.  Doesn't seem to matter what the query parameters are, they all fail.  I couldn't see anything in the changelog after 3.11.0.1 that stood out.

Does anyone have any idea where to start looking for the problem?  Is iSilk working for others with current releases of silk? Or do most people simply use the processing tools natively?

Thanks,
Steve Kersley,
IT Manager,
Keble College, University of Oxford.

More information about the netsa-tools-discuss mailing list